2.2.1.5.1 ipsecFilter{GUID} Object Description

  • Article

The following table specifies the attributes of the ipsecFilter class object, as specified in [MS-ADSC], [MS-ADA1], and [MS-ADA3].

Name

Type

Description

objectClass

LDAPString

The Directory String that contains the object class. A typical value is "ipsecFilter". This attribute is only used during policy creation.

ipsecName

LDAPString

The user-constructed Directory String that contains the name for this filter. A typical value is "All traffic filter".

description

LDAPString

The user-constructed Directory String that is intended to contain a description of the filter group. A typical value is "My servers to protect".

whenChanged

UTC-coded string

The Unicode-generalized time syntax of the time and date that the policy was last changed. This value is set by the Active Directory server.

ipsecID

LDAPString

The Directory String that contains the curly braced GUID string value of the ipsecFilter object. A typical value is similar to the following: "{6A1E5C3F-72B7-11D2-ACF0-02603625CAFE}".

distinguishedName

Distinguished name

The Directory String description of the directory location of this ipsecFilter policy object. This MUST be in the DN format of [RFC2251]. This MUST be set by the protocol. A typical value is similar to the following: "CN=ipsecFilter{6A1E5C3F-72B7-11D2-ACF0-0260B025CAFE },CN=IP Security,CN=System,DC=myDomain,DC=contoso,DC=com".

ipsecOwnersReference

List of distinguished names

A list composed of Directory String references to the parent ipsecNFA objects that are associated with this filter. Note that a filter can be associated with multiple NFAs. The list MUST be composed of DNs in the format of [RFC2251]. The separator between two DNs is 2 bytes of '0'. For example: DN1 2bytesof0 DN2, where DN1 and DN2 are distinguished names.

ipsecDataType

LDAPString

The identifier that describes the format of the following ipsecData attribute. This MUST be the Directory String representation of the unsigned integer value 0x100.

ipsecData

Octet string

The octet string representation of the binary data that specifies additional policy data stored as described in the following ipsecData-specific table.

Note The ipsecFilter object as specified in LDAP messages ([MS-ADSC], section 2.71 "Class ipsecFilter") is encoded using BER, as defined in [RFC2251] section 5.1.

The following table specifies the ipsecData attribute-specific sections, corresponding names, and data types for the assigned values for the purpose of IPsec policy configuration.

The values of these settings MUST NOT be interpreted by this protocol; that is, they are to be applied as is to the IPsec component, which can interpret them independently of the protocol or mechanism that was used to configure them. A description of the interpretation by the IPsec component is provided for informative purposes (as opposed to the syntax, which is normative).

Note that all fields specified in the following tables MUST appear in little-endian byte order.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Filter-Policy-ID1 (16 bytes, optional)

...

...

Data-Length1

Number-Of-Filters1

Filter-Spec1 (variable)

...

Filter-Policy-ID2 (16 bytes, optional)

...

...

Data-Length2

Number-Of-Filters11 (optional)

Number-Of-Filters2 (optional)

Filter-Spec2 (variable)

...

Filter-Policy-ID1 (16 bytes): The identifier that specifies the BLOB as a collection of the legacy filter policy format. This is the GUID whose string representation is "{80DC20B5-2EC8-11D1-A89E-00A0248D3021}". This means that a legacy filter follows.

Data-Length1 (4 bytes): This field SHOULD<21> be the length of data, in bytes, of the Filter-Spec1 field. This MUST be an unsigned integer.

Number-Of-Filters1 (4 bytes): The number of Filter-Spec1 (legacy filters) that are present.

Filter-Spec1 (variable): The format of the data for the Legacy (V1) filter. This structure is repeated Number-Of-Filters1 times (or Number-Of-Filters11 times when Filter-Policy-ID2 is present).


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Source-Length-Of-DNS-Name1

Source-DNS-Name1 (variable)

...

Destination-Length-Of-DNS-Name1

Destination-DNS-Name1 (variable)

...

Filter-Description-Length1

Filter-Description1 (variable)

...

Filter-Specification-ID1 (16 bytes)

...

...

Legacy-Mirror-Options

Legacy-Source-Address

Legacy-Source-Mask

Legacy-Destination-Address

Legacy-Destination-Mask

Legacy-Tunnel-Address

Legacy-Protocol

Legacy-Source-Port

Legacy-Destination-Port

Legacy-Is-Tunnel

Legacy-Special-Filter

Legacy-Filter-Options

Source-Length-Of-DNS-Name1 (4 bytes): The length of the Source-DNS-Name1 field that follows.

Source-DNS-Name1 (variable): The source fully qualified domain name (FQDN) field whose length is described by Source-Length-Of-DNS-Name1.

Destination-Length-Of-DNS-Name1 (4 bytes): The length of the Destination-DNS-Name1 field that follows.

Destination-DNS-Name1 (variable): The destination FQDN field whose length is described by Destination-Length-Of-DNS-Name1.

Filter-Description-Length1 (4 bytes): The length of the filter-description field that follows.

Filter-Description1 (variable): The user-constructed Unicode, NULL-terminated text string that is intended to contain a description of this individual filter (for example, "Matches all ICMP packets between this computer and any other computer").

Filter-Specification-ID1 (16 bytes): The user-constructed identifier that identifies this individual legacy filter.

Legacy-Mirror-Options (4 bytes): An indicator that this filter needs to be mirrored. A mirrored filter is one that MUST be detected by generating a matching incoming and outgoing filter pair. (For example, "IP1 to IP2, mirrored" is detected as "IP1 to IP2" and "IP2 to IP1" directional filters.) This MUST be one of the following values.

Value

Meaning

0x00000000

This filter is not mirrored.

0x00000001

This filter is mirrored.

Legacy-Source-Address (4 bytes): The (IPv4) IP address of the traffic source address to apply the IPsec filter to. Note that 0x00000000 is a special value that means "any IP address".

Legacy-Source-Mask (4 bytes): The (IPv4) IP subnet mask for the source IP address specified in Source-Address.

Legacy-Destination-Address (4 bytes): The (IPv4) IP address of the traffic destination address to apply the IPsec filter to. Note that 0x00000000 is a special value that means "any IP address".

Legacy-Destination-Mask (4 bytes): The (IPv4) IP subnet mask for the source IP address specified in Destination-Address.

Legacy-Tunnel-Address (4 bytes): The optional (IPv4) IP address of the traffic IPsec tunnel mode endpoint to apply the IPsec filter to. Note that this field MUST NOT be interpreted unless the Legacy-Is-Tunnel field specifies that this is a tunnel filter.

Legacy-Protocol (4 bytes): The protocol number that specifies the (IPv4) IP traffic protocol to filter, for example, 0x00000006 for TCP and 0x00000011 for UDP. Note that 0x00000000 is a special value that means "any protocol". This MUST be an unsigned integer.

Legacy-Source-Port (2 bytes): The source port that this filter applies to. Note that 0x0000 is a special value that means "any port". This MUST be an unsigned integer.

Legacy-Destination-Port (2 bytes): The destination port that this filter applies to. Note that 0x0000 is a special value that means "any port". This MUST be an unsigned integer.

Legacy-Is-Tunnel (1 byte): Specifies that this filter is an IPsec tunnel-mode filter and the Legacy-Tunnel-Address field MUST be interpreted. This MUST be one of the following values.

Value

Meaning

0x00

This filter is not a tunnel filter.

0x01

This filter is a tunnel filter.

Legacy-Special-Filter (1 byte): Specifies that this filter is a special filter that has a predefined meaning and SHOULD<22> be interpreted based on the IP configuration of the host machine. One of the following values is used.

Value

Meaning

0x00

This is not a special filter.

0x01

This filter is to use the local system's DNS server(s) (IPv4) IP address for the source address.

0x02

This filter is to use the local system's WINS server(s) (IPv4) IP address for the source address.

0x03

This filter is to use the local system's DHCP server (IPv4) IP address for the source address.

0x04

This filter is to use the local system's default-gateway (IPv4) IP address for the source address.

0x81

This filter is to use the local system's DNS server(s) (IPv4) IP address for the destination address.

0x82

This filter is to use the local system's WINS server(s) (IPv4) IP address for the destination address.

0x83

This filter is to use the local system's DHCP server (IPv4) IP address for the destination address.

0x84

This filter is to use the local system's default-gateway (IPv4) IP address for the destination address.

Legacy-Filter-Options (2 bytes): The policy specification modifiers to apply to the filter policy. This MUST be 0x00.

Filter-Policy-ID2 (16 bytes): Optional. The identifier that specifies the BLOB as a collection of the new Filter policy format. This SHOULD<23> be the GUID whose string representation is "{35FECD3D-AE29-4373-8A6A-C5D8FAB2FB08}". This means that a newer filter format, Filter-Spec2, follows.

Data-Length2 (4 bytes): This field MUST be the length, in bytes, of the Filter-Spec2 field. This MUST be an unsigned integer.

Number-Of-Filters11 (4 bytes): Optional. This field is present when Filter-Policy-ID2 is specified. The number of Filter-Spec1 (legacy filters) that are present. If this value is nonzero, it overrides the value present in Number-Of-Filters1.

Number-Of-Filters2 (4 bytes): Optional. This field is present when Filter-Policy-ID2 is specified. The number of Filter-Spec2 filters that are present.

Filter-Spec2 (variable): The format of the data for the version 2 (V2) filter.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

Source-Length-Of-DNS-Name2

Source-DNS-Name2 (variable)

...

Destination-Length-Of-DNS-Name2

Destination-DNS-Name2 (variable)

...

Filter-Description-Length2

Filter-Description2 (variable)

...

Filter-Specification-ID2 (16 bytes)

...

...

Mirror-Flags

Source-Address-Data (40 bytes)

...

...

Destination-Address-Data (40 bytes)

...

...

Source-Port-Data

...

Destination-Port-Data

...

Filter-Protocol

Filter-Flags

Source-Length-Of-DNS-Name2 (4 bytes): The length of the Source-DNS-Name2 field that follows.

Source-DNS-Name2 (variable): The source FQDN field whose length is described by Source-Length-Of-DNS-Name2.

Destination-Length-Of-DNS-Name2 (4 bytes): The length of Destination-DNS-Name2 field that follows.

Destination-DNS-Name2 (variable): The destination FQDN field whose length is described by Destination-Length-Of-DNS-Name2.

Filter-Description-Length2 (4 bytes): The length of the filter-description field that follows.

Filter-Description2 (variable): The user-constructed Unicode, NULL-terminated text string that is intended to contain a description of this individual filter (for example, "Matches all ICMP packets between this computer and any other computer").

Filter-Specification-ID2 (16 bytes): The user-constructed identifier that identifies this individual filter.

Mirror-Flags (4 bytes): An indicator that this filter needs to be mirrored. A mirrored filter is one that MUST be realized by generating a matching incoming and outgoing filter pair. (For example, "IP1 to IP2, mirrored" is realized as "IP1 to IP2" and "IP2 to IP1" directional filters.) This MUST be one of the following values.

Value

Meaning

0x00000000

This filter is not mirrored.

0x00000001

This filter is mirrored.

Source-Address-Data (40 bytes): The IP address of the traffic source to apply the IPsec filter to. This is specified in the following binary format. Note that all addresses are expected in network byte order.<24>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

IPsec-Address-Type

IPsec-Address-Version

IP-Address-Data-Format (32 bytes)

...

...

IPsec-Address-Type (4 bytes): Specifies the type of address that the IPsec filter specifies. This includes special filter types that have a predefined meaning and are interpreted based on the IP configuration of the host machine. This MUST be one of the following values and MUST be an unsigned integer.

Value

Meaning

0x00000000

This is the filter that applies to all IP traffic (that is, any traffic filter).

0x00000001

This filter specifies a single IP address filter.

0x00000002

This filter specifies a range of IP addresses.

0x00000004

This filter specifies an IP subnet.

0x00000008

This filter is to use the local system's IP address(es) (that is, 'Me' traffic filter).

0x00000010

This filter is to use the local system's DNS server(s) IP address.

0x00000020

This filter is to use the local system's WINS server(s) IP address.

0x00000040

This filter is to use the local system's DHCP server IP address.

0x00000080

This filter is to use the local system's default-gateway IP address.

IPsec-Address-Version (4 bytes): Specifies the IP version (IPv4/IPv6) of an address that the IPsec filter specifies. This MUST be one of the following values and MUST be an unsigned integer.

Value

Meaning

0x00000001

This filter specifies an IP version 4 (IPv4) address.

0x00000002

This filter specifies an IP version 6 (IPv6) address.

0x00000003

This filter specifies both an IP version 4 (IPv4) address and an IP version 6 (IPv6) address.

The value 0x00000003 MUST only be used if the value of the IPsec-Address-Type is 0x00000008, 0x00000010, 0x00000020, 0x00000040, or 0x00000080.

IP-Address-Data-Format (32 bytes): The IP address or addresses of the traffic that defines the IPsec filter. This is specified in the following binary format. Note that all addresses are expected in network byte order.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

IP-Address (16 bytes)

...

...

IP-Address-Secondary (16 bytes)

...

...

IP-Address (16 bytes): The IP address of the traffic that defines the IPsec filter. If the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of an IPv4 address (the remaining 12 bytes are not significant). If the IPsec-Address-Version field is 0x0002, this is the 16-byte (network byte order) representation of an IPv6 address. On reading, if the IPsec-Address-Version field is equal to 0x0003, the 16 bytes of the IP-Address field MUST be ignored. On writing, if the IPsec-Address-Version field is equal to 0x0003, the 16 bytes of the IP-Address field MUST be set to 0. Note that this field is only significant if the IPsec-Address-Type field is 0x0001, 0x0002, or 0x0004.

IP-Address-Secondary (16 bytes): The secondary IP address of the traffic that defines the IPsec filter. If the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of an IPv4 address (the remaining 12 bytes are not significant). If the IPsec-Address-Version field is 0x0002, this is the 16-byte (network byte order) representation of an IPv6 address. Note that this field is only significant if the IPsec-Address-Type field is 0x0002 or 0x0004. If the IPsec-Address-Type field is 0x0002, this defines the last address in the applicable range of IP addresses for this filter. If the IPsec-Address-Type field is 0x0004, this defines the subnet mask for this filter. When a subnet filter is defined: if the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of the IPv4 subnet mask; if the IPsec-Address-Version field is 0x0002, this is the 1-byte representation of the IPv6 subnet mask. The IPv6 subnet mask is a byte number that counts the number of bits prefixes that compose the mask.

Destination-Address-Data (40 bytes): The IP address of the traffic destination to apply the IPsec filter to. This SHOULD<25> be specified in the same binary format as shown previously in the Source-Address-Data field and in the following table.

0

1

2

3

4

5

6

7

8

9

1

0

1

2

3

4

5

6

7

8

9

2

0

1

2

3

4

5

6

7

8

9

3

0

1

IPsec-Address-Type

IPsec-Address-Version

IP-Address-Data-Format (32 bytes)

...

...

IPsec-Address-Type (4 bytes): Specifies the type of address that the IPsec filter specifies. This includes special filter types that have a predefined meaning and are interpreted based on the IP configuration of the host machine. This MUST be one of the following values and MUST be an unsigned integer.

Value

Meaning

0x00000000

This is the filter that applies to all IP traffic (that is, 'Any' traffic filter).

0x00000001

This filter specifies a single IP address filter.

0x00000002

This filter specifies a range of IP addresses.

0x00000004

This filter specifies an IP subnet.

0x00000008

This filter is to use the local system's IP address(es) (that is, 'Me' traffic filter).

0x00000010

This filter is to use the local system's DNS server(s) IP address.

0x00000020

This filter is to use the local system's WINS server(s) IP address.

0x00000040

This filter is to use the local system's DHCP server IP address.

0x00000080

This filter is to use the local system's default-gateway IP address.

IPsec-Address-Version (4 bytes): Specifies the IP version (IPv4/IPv6) of an address that the IPsec filter specifies. This MUST be one of the following values, and this MUST be an unsigned integer.

Value

Meaning

0x00000001

This filter specifies an IP version 4 (IPv4) address.

0x00000002

This filter specifies an IP version 6 (IPv6) address.

0x00000003

This filter specifies both an IP version 4 (IPv4) address and an IP version 6 (IPv6) address.

The value 0x00000003 MUST only be used if the value of the IPsec-Address-Type is 0x00000008, 0x00000010, 0x00000020, 0x00000040, or 0x00000080.

IP-Address-Data-Format (32 bytes): The IP address(es) of the traffic that define(s) the IPsec filter. This is specified in the following binary format. Note that all addresses are expected in network byte order.


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

IP-Address (16 bytes)

...

...

IP-Address-Secondary (16 bytes)

...

...

IP-Address (16 bytes): The IP address of the traffic that defines the IPsec filter. If the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of an IPv4 address (the remaining 12 bytes are not significant). If the IPsec-Address-Version field is 0x0002, this is the 16-byte (network byte order) representation of an IPv6 address. On reading, if the IPsec-Address-Version field is equal to 0x0003, the 16 bytes of the IP-Address field MUST be ignored. On writing, if the IPsec-Address-Version field is equal to 0x0003, the 16 bytes of the IP-Address field MUST be set to 0. Note that this field is only significant if the IPsec-Address-Type field is 0x0001, 0x0002, or 0x0004.

IP-Address-Secondary (16 bytes): The secondary IP address of the traffic that defines the IPsec filter. If the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of an IPv4 address (the remaining 12 bytes are not significant). If the IPsec-Address-Version field is 0x0002, this is the 16-byte (network byte order) representation of an IPv6 address. Note that this field is only significant if the IPsec-Address-Type field is 0x0002, or 0x0004. If the IPsec-Address-Type field is 0x0002, this defines the last address in the applicable range of IP addresses for this filter. If the IPsec-Address-Type field is 0x0004, this defines the subnet mask for this filter. When a subnet filter is defined: if the IPsec-Address-Version field is 0x0001, this is the 4-byte (network byte order) representation of the IPv4 subnet mask; if the IPsec-Address-Version field is 0x0002, this is the 1-byte representation of the IPv6 subnet mask. The IPv6 subnet mask is a byte number that counts the number of bits prefixes that compose the mask.

Source-Port-Data (8 bytes): The source port that this filter applies to. This is specified in the following binary format.<26>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

IPsec-Source-Port-Type

IPsec-Source-Port

IPsec-Source-Port-Range-End

IPsec-Source-Port-Type (4 bytes): Specifies the type of port that the IPsec filter specifies. This includes special port types that have a predefined meaning. This MUST be one of the following values and MUST be an unsigned integer.

Value

Meaning

0x00000000

This is the filter that applies to all ports (that is, 'Any' traffic filter).

0x00000001

This filter specifies a single port.

0x00000002

This filter specifies a range of ports.

IPsec-Source-Port (2 bytes): Specifies the port number for the IPsec filter. This includes the following special modifiers: if IPsec-Port-Type is 0x0000, this value is not significant; if IPsec-Port-Type is 0x0001, this is the port the IPsec filter applies to; if IPsec-Port-Type is 0x0002, this is the first port in the port range to apply the IPsec filter to.

IPsec-Source-Port-Range-End (2 bytes): Specifies the port number for the end of the port range for the IPsec filter. This includes the following special modifiers: if IPsec-Port-Type is 0x0000 or IPsec-Port-Type is 0x0001, this value is not significant; if IPsec-Port-Type is 0x0002, this is the last port in the port range to apply the IPsec filter to.

Destination-Port-Data (8 bytes): The destination port that this filter applies to. This is specified in the same binary format as shown previously in the Source-Port-Data field and in the following table.<27>


0


1


2


3


4


5


6


7


8


9

1
0


1


2


3


4


5


6


7


8


9

2
0


1


2


3


4


5


6


7


8


9

3
0


1

IPsec-Destination-Port-Type

IPsec-Destination-Port

IPsec-Destination-Port-Range-End

IPsec-Destination-Port-Type (4 bytes): Specifies the type of port that the IPsec filter specifies. This includes special port types that have a predefined meaning. This MUST be one of the following values and MUST be an unsigned integer.

Value

Meaning

0x00000000

This is the filter that applies to all ports (that is, 'Any' traffic filter).

0x00000001

This filter specifies a single port.

0x00000002

This filter specifies a range of ports.

IPsec-Destination-Port (2 bytes): Specifies the port number for the IPsec filter. This includes the following special modifiers: if IPsec-Port-Type is 0x0000, this value is not significant; if IPsec-Port-Type is 0x0001, this is the port the IPsec filter applies to; if IPsec-Port-Type is 0x0002, this is the first port in the port range to apply the IPsec filter to.

IPsec-Destination-Port-Range-End (2 bytes): Specifies the port number for the end of the port range for the IPsec filter. This includes the following special modifiers: if IPsec-Port-Type is 0x0000 or IPsec-Port-Type is 0x0001, this value is not significant; if IPsec-Port-Type is 0x0002, this is the last port in the port range to apply the IPsec filter to.

Filter-Protocol (4 bytes): This SHOULD<28> be an unsigned integer. The protocol number that specifies the IP traffic protocol to filter. For example, 0x00000006 for TCP and 0x00000011 for UDP. Note that 0x00000000 is a "special" value that means "Any Protocol".

Filter-Flags (4 bytes): The flags that specify optional additional behavior. This SHOULD<29> be a word value and be one of the following values.

Value

Meaning

0x00000000

No flag value. This MUST NOT be interpreted as significant.

0x00000008

Use version-2 (v2) filter ranges. This value is set when using address ranges. If the address set is expressed as both the version-1 (v1) expanded subnets and the v2 address range, the meaning of the flag is to ignore the v1 expanded subnets because it can process the v2 filter expressed as an address range.